Solar2月应急响应公益月赛

暗链排查-1

burp 抓包，找到 js，cyberchef 一把梭，纯黑盒

暗链排查-2

root@tianshou-0e3d41087e0b47e587d7b244849b893b-7769f979cf-szxvl:~# gcore -o nginx_core 11
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0x00007f5e5760f5b9 in sigsuspend () from /lib/x86_64-linux-gnu/libc.so.6
warning: target file /proc/11/cmdline does not contain a trailing null character
Saved corefile nginx_core.11
[Inferior 1 (process 11) detached]
root@tianshou-0e3d41087e0b47e587d7b244849b893b-7769f979cf-szxvl:~# ls
nginx_core.11
root@tianshou-0e3d41087e0b47e587d7b244849b893b-7769f979cf-szxvl:~# strings nginx_core.11 | grep flag
SSL_CONF_CTX_set_flags
X509_STORE_set_flags
ngx_conf_set_flag_slot
ngx_event_flags
FLAG=flag{f682645fd1004f90840305712c3eca37}
# flag{Xv4C_ZtqD_5umj_cwgw}
# flag{Xv4C_ZtqD_5umj_cwgw}

VMDK 修复

逆向-1

grok 直接秒了

"""
@ Author: b3nguang
@ Date: 2025-01-18 11:48:14
"""

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import padding
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes


def decrypt_file(input_file_path, output_file_path):
    # 读取加密文件
    with open(input_file_path, "rb") as f:
        file_data = f.read()

    # 验证标识符
    identifier = file_data[-8:].decode("utf-8")
    if identifier != "12346578":
        raise ValueError("无效的文件格式：标识符不匹配。")

    # 提取 IV（16 字节）
    iv = file_data[-24:-8]  # 从倒数第 24 字节到倒数第 8 字节

    # 提取密钥（32 字节）
    key = file_data[-56:-24]  # 从倒数第 56 字节到倒数第 24 字节

    # 提取加密数据
    encrypted_data = file_data[:-56]  # 去掉末尾 56 字节（32 密钥 + 16 IV + 8 标识符）

    # 设置 AES CBC 解密
    backend = default_backend()
    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=backend)
    decryptor = cipher.decryptor()

    # 解密数据
    decrypted_padded_data = decryptor.update(encrypted_data) + decryptor.finalize()

    # 去除 PKCS7 填充
    unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()
    decrypted_data = unpadder.update(decrypted_padded_data) + unpadder.finalize()

    # 保存解密后的文件
    with open(output_file_path, "wb") as f:
        f.write(decrypted_data)

    print(f"文件 '{input_file_path}' 已解密为 '{output_file_path}'。")


if __name__ == "__main__":
    # 设置输入和输出文件路径
    encrypted_file_path = r"E:\Downloads\附件\encrypted_file.txt"
    decrypted_file_path = "decrypted_file.txt"

    try:
        decrypt_file(encrypted_file_path, decrypted_file_path)
    except Exception as e:
        print("错误:", str(e))

单机取证-1

火绒扫网站目录，导出一个 dll 报毒，搜索

单机取证-2

单机取证-3

单机取证-5